CVE-2022-22107

Опубликовано: 05 янв. 2022

Источник: nvd

CVSS3: 4.3

CVSS2: 4

EPSS Низкий

Описание

In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missing Authorization. An attacker that has the lowest privileges account (employee type user), can view the appointments of all users in the system including administrators. However, this type of user is not authorized to view the calendar at all.

Ссылки

https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
Third Party Advisory
https://github.com/Bottelet/DaybydayCRM/commit/a0392f4a4a14e1e3fedaf6817aefce69b6bd661b
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22107
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:daybydaycrm:daybyday_crm:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.2.0 (включая)

EPSS

Процентиль: 36%

0.00151

Низкий

4.3 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

GHSA-44gv-fgcj-w546